diff --git a/CHANGELOG.md b/CHANGELOG.md
index b19657037996c097dda86a09b33dcac6d027dd53..a193fd08df0b5a03f8df5b01a2d454806f6d930a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,17 @@
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [0.66.0-bb.0] - 2024-07-17
+
+## Changed
+
+- Upgrade gitlab runner from 17.0.0 to 17.1.0:
+ - Make lifecycle options configurable in the deployment [upstream !473](https://gitlab.com/gitlab-org/charts/gitlab-runner/-/merge_requests/473)
+ - Add dedicated ServiceAccount configuration [upstream !415](https://gitlab.com/gitlab-org/charts/gitlab-runner/-/merge_requests/415/commits)
+ - Updated registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner 17.0.0 -> 17.1.0
+ - Updated registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper 17.0.0 -> 17.1.0
+
+
## [0.65.0-bb.3] - 2024-07-01
### Fixed
diff --git a/README.md b/README.md
index 9ea89c3c612701d463d0f7310489275aff8322fd..d5884b7f9366cb7f86e8fa39c180ea4cd39057ac 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
# gitlab-runner
- 
+ 
GitLab Runner
@@ -38,7 +38,7 @@ helm install gitlab-runner chart/
|-----|------|---------|-------------|
| image.registry | string | `"registry1.dso.mil"` | |
| image.image | string | `"ironbank/gitlab/gitlab-runner/gitlab-runner"` | |
-| image.tag | string | `"v17.0.0"` | |
+| image.tag | string | `"v17.1.0"` | |
| useTini | bool | `true` | |
| imagePullPolicy | string | `"IfNotPresent"` | |
| gitlabUrl | string | `"http://gitlab-webservice-default.gitlab.svc.cluster.local:8181"` | |
@@ -54,6 +54,10 @@ helm install gitlab-runner chart/
| rbac.clusterWideAccess | bool | `false` | |
| rbac.podSecurityPolicy.enabled | bool | `false` | |
| rbac.podSecurityPolicy.resourceNames[0] | string | `"gitlab-runner"` | |
+| rbac.imagePullSecrets | list | `[]` | |
+| serviceAccount.name | string | `""` | |
+| serviceAccount.annotations | object | `{}` | |
+| serviceAccount.imagePullSecrets | list | `[]` | |
| metrics.enabled | bool | `false` | |
| metrics.portName | string | `"tcp-metrics"` | |
| metrics.port | int | `9252` | |
@@ -65,7 +69,7 @@ helm install gitlab-runner chart/
| runners.job.tag | string | `"9.4"` | |
| runners.helper.registry | string | `"registry1.dso.mil"` | |
| runners.helper.repository | string | `"ironbank/gitlab/gitlab-runner/gitlab-runner-helper"` | |
-| runners.helper.tag | string | `"v17.0.0"` | |
+| runners.helper.tag | string | `"v17.1.0"` | |
| runners.config | string | `"[[runners]]\n clone_url = \"http://gitlab-webservice-default.gitlab.svc.cluster.local:8181\"\n cache_dir = \"/tmp/gitlab-runner/cache\"\n [runners.kubernetes]\n pull_policy = \"always\"\n namespace = \"{{.Release.Namespace}}\"\n image = \"{{ printf \"%s/%s:%s\" .Values.runners.job.registry .Values.runners.job.repository .Values.runners.job.tag }}\"\n helper_image = \"{{ printf \"%s/%s:%s\" .Values.runners.helper.registry .Values.runners.helper.repository .Values.runners.helper.tag }}\"\n image_pull_secrets = [\"private-registry\"]\n [runners.kubernetes.pod_security_context]\n run_as_non_root = true\n run_as_user = 1001\n [runners.kubernetes.helper_container_security_context]\n run_as_non_root = true\n run_as_user = 1001\n [runners.kubernetes.pod_labels]\n \"job_id\" = \"${CI_JOB_ID}\"\n \"job_name\" = \"${CI_JOB_NAME}\"\n \"pipeline_id\" = \"${CI_PIPELINE_ID}\"\n \"app\" = \"gitlab-runner\"\n"` | |
| runners.configPath | string | `""` | |
| runners.locked | bool | `true` | |
@@ -100,6 +104,7 @@ helm install gitlab-runner chart/
| hostAliases | list | `[]` | |
| deploymentAnnotations | object | `{}` | |
| deploymentLabels | object | `{}` | |
+| deploymentLifecycle | object | `{}` | |
| podAnnotations | object | `{}` | |
| podLabels | object | `{}` | |
| priorityClassName | string | `""` | |
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index 1bfdfa9f0d982c4c054b3f2fa538c1286a857284..3987a4774ebb4563ca8041157759e2a6bbe013c1 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v2
name: gitlab-runner
-version: 0.65.0-bb.3
-appVersion: 17.0.0
+version: 0.66.0-bb.0
+appVersion: 17.1.0
description: GitLab Runner
keywords:
- git
@@ -21,12 +21,12 @@ dependencies:
repository: oci://registry1.dso.mil/bigbang
annotations:
bigbang.dev/applicationVersions: |
- - Gitlab Runner: v17.0.0
+ - Gitlab Runner: v17.1.0
helm.sh/images: |
- name: gitlab-runner
- image: registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner:v17.0.0
+ image: registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner:v17.1.0
- name: gitlab-runner-helper
- image: registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper:v17.0.0
+ image: registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper:v17.1.0
- name: ubi9
image: registry1.dso.mil/ironbank/redhat/ubi/ubi9:9.4
diff --git a/chart/Kptfile b/chart/Kptfile
index 9a9cedadabb55ac90a36d1029a754d673eba11bd..fa01c9aef8c8fa91e736beed637850f912eba4cf 100644
--- a/chart/Kptfile
+++ b/chart/Kptfile
@@ -5,7 +5,7 @@ metadata:
upstream:
type: git
git:
- commit: e3df4d644b3c152ac35c2005ae8559e14af1aaf0
+ commit: f70d01fd3871c77202a3066bef69492d818eff5e
repo: https://gitlab.com/gitlab-org/charts/gitlab-runner
directory: /
- ref: v0.65.0
+ ref: v0.66.0
diff --git a/chart/templates/NOTES.txt b/chart/templates/NOTES.txt
index 68ab758f0b6e250115879ee5c8bd6f2687f18ab3..75c5967fedef95ba80a854e7d204261e7c722bf8 100644
--- a/chart/templates/NOTES.txt
+++ b/chart/templates/NOTES.txt
@@ -34,3 +34,32 @@ Runner namespace {{ $runnerNamespace }} was found in runners.config template.
#############################################################################################
{{- end }}
{{- end }}
+{{- if and .Values.rbac.create (kindIs "invalid" .Values.serviceAccount.create) }}
+
+#############################################################################################
+## WARNING: You enabled `rbac` without specifying if a service account should be created. ##
+## Please set `serviceAccount.create` to either `true` or `false`. ##
+## For backwards compatibility a service account will be created. ##
+#############################################################################################
+{{- end }}
+{{- if .Values.rbac.serviceAccountName }}
+
+#############################################################################################
+## WARNING: You have set the deprecated field `rbac.serviceAccountName`. ##
+## Please use `serviceAccount.name` instead. ##
+#############################################################################################
+{{- end }}
+{{- if .Values.rbac.serviceAccountAnnotations }}
+
+#############################################################################################
+## WARNING: You have set the deprecated field `rbac.serviceAccountAnnotations`. ##
+## Please use `serviceAccount.annotations` instead. ##
+#############################################################################################
+{{- end }}
+{{- if .Values.rbac.imagePullSecrets }}
+
+#############################################################################################
+## WARNING: You have set the deprecated field `rbac.imagePullSecrets`. ##
+## Please use `serviceAccount.imagePullSecrets` instead. ##
+#############################################################################################
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
index 40476eff40b9487a2e91413a29663dcd3bbae837..ad8284bc631233f00222d286c0bcdd2bff01ef81 100644
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -30,17 +30,6 @@ Create chart name and version as used by the chart label.
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
-{{/*
-Define the name of the service account
-*/}}
-{{- define "gitlab-runner.serviceAccount" -}}
-{{- if .Values.rbac.create -}}
-{{- default (include "gitlab-runner.fullname" .) .Values.rbac.generatedServiceAccountName | quote -}}
-{{- else -}}
-{{- .Values.rbac.serviceAccountName | quote -}}
-{{- end -}}
-{{- end -}}
-
{{/*
Define the name of the secret containing the tokens
*/}}
@@ -68,6 +57,20 @@ Template for outputing the gitlabUrl
{{- .Values.gitlabUrl | quote -}}
{{- end -}}
+{{/*
+Define the name of the service account
+*/}}
+# TODO: Remove references to .Values.rbac
+{{- define "gitlab-runner.serviceAccountName" -}}
+{{- if or .Values.serviceAccount.create .Values.serviceAccount.name -}}
+{{- .Values.serviceAccount.name | default (include "gitlab-runner.fullname" .) | quote -}}
+{{- else if .Values.rbac.create -}}
+{{- default (include "gitlab-runner.fullname" .) .Values.rbac.generatedServiceAccountName | quote -}}
+{{- else -}}
+"{{- .Values.rbac.serviceAccountName -}}"
+{{- end -}}
+{{- end -}}
+
{{/*
Define the image, using .Chart.AppVersion and GitLab Runner image as a default value
*/}}
diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
index 78cd59bde091a643096ca01be9ca78b430f0f360..554b6501c622d0ffb7460decd8fff5a23070f73c 100644
--- a/chart/templates/deployment.yaml
+++ b/chart/templates/deployment.yaml
@@ -60,7 +60,7 @@ spec:
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName | quote }}
{{- end }}
- serviceAccountName: {{ include "gitlab-runner.serviceAccount" . }}
+ serviceAccountName: {{ include "gitlab-runner.serviceAccountName" . }}
containers:
- name: {{ include "gitlab-runner.fullname" . }}
image: {{ include "gitlab-runner.image" . }}
@@ -72,6 +72,9 @@ spec:
{{- else }}
command: ["/usr/bin/dumb-init", "--", "/bin/bash", "/configmaps/entrypoint"]
{{- end }}
+ {{- if .Values.deploymentLifecycle }}
+ lifecycle: {{ toYaml .Values.deploymentLifecycle | nindent 10 }}
+ {{- end }}
env:
{{- include "gitlab-runner.runner-env-vars" . | indent 8 }}
livenessProbe:
diff --git a/chart/templates/role-binding.yaml b/chart/templates/role-binding.yaml
index 63878f8a7b633c35e7e59d3ee445d0735c3d4075..18cb4be8d19d3504b16da5c8a24ca559363634c2 100644
--- a/chart/templates/role-binding.yaml
+++ b/chart/templates/role-binding.yaml
@@ -17,6 +17,6 @@ roleRef:
name: {{ include "gitlab-runner.fullname" . }}
subjects:
- kind: ServiceAccount
- name: {{ include "gitlab-runner.serviceAccount" . }}
+ name: {{ include "gitlab-runner.serviceAccountName" . }}
namespace: "{{ .Release.Namespace }}"
{{- end -}}
diff --git a/chart/templates/service-account.yaml b/chart/templates/service-account.yaml
index 3f8b7c60de2b6e641eb383cb332791ff477cdaf0..61ca6fc528d701df34e4014b74a3891ddee9a0ff 100644
--- a/chart/templates/service-account.yaml
+++ b/chart/templates/service-account.yaml
@@ -1,23 +1,24 @@
-{{- if .Values.rbac.create -}}
+{{- /* TODO: Remove references to `.Values.rbac` */ -}}
+{{- if or .Values.serviceAccount.create (and .Values.rbac.create (kindIs "invalid" .Values.serviceAccount.create)) -}}
apiVersion: v1
kind: ServiceAccount
metadata:
- {{- if .Values.rbac.serviceAccountAnnotations }}
+ {{- if or .Values.serviceAccount.annotations .Values.rbac.serviceAccountAnnotations }}
annotations:
- {{- range $key, $value := .Values.rbac.serviceAccountAnnotations }}
+ {{- range $key, $value := merge .Values.serviceAccount.annotations .Values.rbac.serviceAccountAnnotations }}
{{ $key }}: {{ tpl ($value) $ | quote }}
{{- end }}
{{- end}}
- name: {{ include "gitlab-runner.serviceAccount" . }}
+ name: {{ include "gitlab-runner.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "gitlab-runner.fullname" . }}
chart: {{ include "gitlab-runner.chart" . }}
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
-{{- if .Values.rbac.imagePullSecrets }}
+{{- if or .Values.serviceAccount.imagePullSecrets .Values.rbac.imagePullSecrets }}
imagePullSecrets:
- {{- range .Values.rbac.imagePullSecrets }}
+ {{- range concat .Values.serviceAccount.imagePullSecrets .Values.rbac.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
{{- end }}
diff --git a/chart/values.yaml b/chart/values.yaml
index 83a5594d7008317749ac7defafa895b9335cc756..f0d44346c872498210ef255bbb23b8215c03bff3 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -12,7 +12,7 @@
image:
registry: registry1.dso.mil
image: ironbank/gitlab/gitlab-runner/gitlab-runner
- tag: v17.0.0
+ tag: v17.1.0
## When using GitLab Runner Helm Chart with gitlab-runner-ubi-images (https://gitlab.com/gitlab-org/ci-cd/gitlab-runner-ubi-images/container_registry)
## the installation fails because dumb-init is not packaged in the image. However, the tini is present.
@@ -149,9 +149,13 @@ sessionServer:
## For RBAC support:
rbac:
+ ## Specifies whether a Role and RoleBinding should be created
+ ## If this value is set to `true`, `serviceAccount.create` should also be set to either `true` or `false`
+ ##
create: true
## Define the generated serviceAccountName when create is set to true
## It defaults to "gitlab-runner.fullname" if not provided
+ ## DEPRECATED: Please use `serviceAccount.name` instead
generatedServiceAccountName: ""
## Define list of rules to be added to the rbac role permissions.
@@ -179,6 +183,7 @@ rbac:
clusterWideAccess: false
## Use the following Kubernetes Service Account name if RBAC is disabled in this Helm chart (see rbac.create)
+ ## DEPRECATED: Please use `serviceAccount.name` instead
##
# serviceAccountName: default
@@ -189,7 +194,9 @@ rbac:
##
## ref: https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html
##
- # serviceAccountAnnotations: {}
+ ## DEPRECATED: Please use `serviceAccount.annotations` instead
+ ##
+ # serviceAccountAnnotations: { }
## Use podSecurity Policy
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
@@ -202,7 +209,34 @@ rbac:
##
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account
##
- # imagePullSecrets: []
+ ## DEPRECATED: Please use `serviceAccount.imagePullSecrets` instead
+ ##
+ imagePullSecrets: []
+
+## Configure ServiceAccount
+##
+serviceAccount:
+ ## Specifies whether a ServiceAccount should be created
+ ##
+ ## TODO: Set default to `false`
+ # create: false
+ ## The name of the ServiceAccount to use.
+ ## If not set and create is `true`, a name is generated using the `gitlab-runner.fullname`` template
+ ##
+ name: ""
+ ## Additional custom annotations for the ServiceAccount, useful for annotations such as eks.amazonaws.com/role-arn.
+ ## Values may refer other values as the _tpl_ function is implicitly applied. Mind the quotes when using this, e.g.
+ ## serviceAccountAnnotations:
+ ## eks.amazonaws.com/role-arn: "arn:aws:iam::{{ .Values.global.accountId }}:role/{{ .Values.global.iamRoleName }}"
+ ##
+ ## ref: https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html
+ ##
+ annotations: { }
+ ## Specify one or more imagePullSecrets used for pulling the runner image
+ ##
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account
+ ##
+ imagePullSecrets: [ ]
## Configure integrated Prometheus metrics exporter
##
@@ -335,7 +369,7 @@ runners:
helper:
registry: registry1.dso.mil
repository: ironbank/gitlab/gitlab-runner/gitlab-runner-helper
- tag: "v17.0.0"
+ tag: "v17.1.0"
# runner configuration, where the multi line strings is evaluated as
# template so you can specify helm values inside of it.
@@ -711,6 +745,14 @@ deploymentLabels: {}
# Example:
# owner.team: <my_cool_team>
+## Lifecycle options to be added to deployment
+##
+deploymentLifecycle: {}
+ # Example
+ # preStop:
+ # exec:
+ # command: ["/bin/sh", "-c", "echo 'shutting down'"]
+
## Set hostname for runner pods
#hostname: my-gitlab-runner
diff --git "a/docs/IstioHar\342\200\216dened.md" b/docs/IstioHardened.md
similarity index 100%
rename from "docs/IstioHar\342\200\216dened.md"
rename to docs/IstioHardened.md
diff --git a/tests/images.txt b/tests/images.txt
index 01325acb0c0f9586ec2e3287cc21ac701c0b7a54..342b1c126e8ac2fba32ac1b6b68b8277b623d329 100644
--- a/tests/images.txt
+++ b/tests/images.txt
@@ -1,2 +1,2 @@
-registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper:v17.0.0
+registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper:v17.1.0
registry1.dso.mil/ironbank/redhat/ubi/ubi9:9.4